contact

Category: Uncategorized

Today, I meet with a challenge. I need to set up good and working Wifi network over the building. I need to use sixteen access points (AP). My previous configurations was simple deployment of this access points with laborious configuration of each AP. And there were many channels, and things, that I must configure.

So I create centralized Access Point management setup for office environment that is scalable to many Access Point. This can be done by setting up Controlled Access Point system Manager (CAPsMAN) on your router and connecting Controlled Access Points (CAPs) to it. I have two bands: 2,4GHz and 5GHz. Everything with one SSID. I use this howto:

https://wiki.mikrotik.com/wiki/Manual:Simple_CAPsMAN_setup

As CAPSMAN I used powerfull hardware: MikroTik CCR1009-7G-1C-1S+. As CAPs I will use HAP AC – dual band wifi AP.

I assume, that you have some skills with Mikrotiks and configuration. So I will use only terminal commands in this post with explanation.

So, lets begin.

Assume, that we have default VLAN 600, with no DHCP and now internet connection. Its dummy vlan, lead to nowhere. Than we have more 3 VLANs. One vlan is management (3), one si for guests (4) and one for employees (5). Routing between this vlans provides linux router beyond our scope here. We used:

192.168.1.0/24 – management vlan ID 3

192.168.2.0/24 – management vlan ID 4

192.168.3.0/24 – management vlan ID 5

Create a Bond with four links, to high bandwidth, with default vlan 600:

Now, we can configure our first CAP. This happened only once. Any WIFI setting will be configured via CAPSMAN itself. So I set CAPs up for using, accessing and sending data only via management vlan (vlan id = 3). Every traffic will be forwarded to the CAPSMAN.

Now, we download our CA public certificate from our CAPSMAN, import it. Then we create a local certificate, and send it as template to Scep server running on CAPSMAN. Then we must manually approve this template, and it will be signed by our previously created CA certificate on CAPSMAN. And this signed certificate will by user for encrypted communication between CAPs and CAPSMAN. This step must by manually set for each CAP separately.

And finally, we set this on CAPSMAN for provision radio setting to CAP1, or next CAP2…We can limit these for MAC address of CAP1. This my setting allow to connect any CAP with certificate, that has been previously granted.

I create a basic installation of Centos 8 stream from iso: CentOS-Stream-8-x86_64-20191219-boot.iso

During installation I choose minimal applications and standard utilities. Please, enable, network time and set lvm for virtio disk. I set password for root and create a new user, which have root privileges.

After instalation, I create and LVM encrypted partition, to store encrypted data of nextcloud on it. I will not use nextcloud data encryption. Command below creates encrypted disk. We must enter a passphrase twice

Now, I write 4GB zeros to this device to see, if everything is OK. It is possible, to full-up tho whole device, but it can take a long time. But the true reason is, that this will allocate block data with zeros. This ensures that outside world will see this as random data i.e. it protect against disclosure of usage patterns.

Installing nextcloud and prerequisites

And now, we can start with preparing our Centos for nextcloud

At first, update system. Via dnf (DNF is the next upcoming major version of YUM, a package manager for RPM-based Linux distributions. It roughly maintains CLI compatibility with YUM and defines a strict API for extensions and plugins.)

dnf update -y

Next, we install and create empty database for our nextcloud. Then we start it and enable for autostart after boot. If you wish, you can skip installations of MariaDB and you can use built-in SQLite. Then you can continue with installing apache web server.

And finally, we can access our nextcloud and set up administrators password via our web: http://you-ip/

If you see default httpd welcome page, disable all lines in: /etc/httpd/conf.d/welcome.confNow you must complete the installation via web interface. Set Administrator’s password and locate to MariaDB with used credentials:

In settings of nextcloud, go to section Administration > Overview. You can see some problems. If so, try to fix it. I had three problems. No apcu memory cache configured. So add at nextcloud config.php:

'memcache.local' => '\OC\Memcache\APCu',

Then I must edit som php variables, to set properly opcache: edit and adjust:

vim /etc/php.d/10-opcache.ini

Then I must edit httpd setting, because .htaccess wont working. So change apache config:

Next, I find out, that my nextcloud instance cannot connect to internet and checks for update. I think, that this is on selinux (enforcing mode). So run check and find out, what is happening:

sealert -a /var/log/audit/audit.log

And the result:

SELinux is preventing /usr/sbin/php-fpm from name_connect access on the tcp_socket port 80
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Source Path /usr/sbin/php-fpm
Port 80
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
---------
If you believe that php-fpm should be allowed name_connect access on the port 80 tcp_socket by default.
If you want to allow httpd to can network connect
Then you must tell SELinux about this by enabling the 'httpd_can_network_connect' boolean.

So I allow httpd to can network connect via:

setsebool -P httpd_can_network_connect 1

And that is complete. If you wont secure http (https), try to find out another post on this page.

And now, gracefully restart your web server and point your browser to you domain: www.example.com (I edit my /etc/hosts to point this domain at my internal IP).

apachectl graceful

If you test page is working, lets begin with more thinks. We must install additional packages (software) for wordpress. Its mysql server and php. As mysql server, I use mariadb. Then create an initial configuration for mysql and create database for wordpress. I set no password for mysql.

-A INPUT: The -A flag appends a rule to the end of a chain. This is the portion of the command that tells iptables that we wish to add a new rule, that we want that rule added to the end of the chain, and that the chain we want to operate on is the INPUT chain.

And now, we can allow specific port or service, which we want to allow:

Now we must add some rule for loopback. because we block it now. If we add it right now with above command, we add it at the end of chain (after drop all). So all traffic will be blocked. We must add it at the begining of this chain:

iptables -I INPUT 1 -i lo -j ACCEPT

-I INPUT 1: The -I flag tells iptables to insert a rule. This is different than the -A flag which appends a rule to the end. The -I flag takes a chain and the rule position where you want to insert the new rule.

-i lo: This component of the rule matches if the interface that the packet is using is the “lo” interface. The “lo” interface is another name for the loopback device. This means that any packet using that interface to communicate (packets generated on our server, for our server) should be accepted.

Now we have five rules to ACCEPT packets, which we want. The we have the sixth rule for DROP all another packets.

The policy DROP everything can be done by two ways. We have the first way (Default policy of chain is ACCEPT everything. Our five rules catch certain packets and at the end we have the sixth rule to DROP all packet which catch all other remain packets). In case of breaking firewall, or accidentally flush our rules, we still can connect to our server (by default chain policy ACCEPT).

The second way is set default chain policy to DROP, and set our five rules first. So if packets are catch by one of this rules, is ACCEPTed. Then it is DROPPEd by default. There is a possibility, that if we flush our firewall rules, we never reach our server from network because the default chain policy is DROP. So first, we need the rules like above mentioned except the DROP rule. And then, at the end, change the default chain policy by command:

So we can see, that we DROP all packet, we want and ACCEPT packets we want. It can be done by this two ways. So pick one, which you want. I prefer the second way, because I have another access to server (via console-keyboard connected directly to server). So if something go wrong, I am still be able to connect it.

So if you choose the first way, you must add others rules before the DROP rule, because it will be matched by this rule. Like the loopback rule, you must insert it somewhere before the DROP rules. See the lines: